Enjoy the holiday weekend, America? Well-rested? Good. Supermicro server boards can be remotely hijacked
Virtual USB hub allows attackers to get into BMCs
Tens of thousands of servers around the world are believed to be hosting a vulnerability that would allow an attacker to remotely commandeer them.
The team at Eclypsium says it has discovered a set of flaws it refers to as USBAnywhere that, when exploited, would potentially allow an attacker to take over the baseboard management controller (BMC) for three different models of server boards: the X9, X10, and X11.
BMCs are designed to be a sort of always-on remotely accessible "computer within the computer" that allow admins to connect to a server over the network and perform critical maintenance tasks, like updating the OS or firmware.
Ideally, BMCs are locked down within the network in order to prevent access by anyone outside of the company. In some cases, larger companies even opt to use their own BMC firmware that is fine-tuned for their data centers and applications.
In a few cases, however, those BMCs are left open to the internet and can be managed over a web interface – usually very easily since they aren't typically designed with security in mind. Here is where the vulnerabilities discovered by Eclypsium come in.
The target of the attack is the virtual media application that Supermicro uses for its BMC management console. This application allows admins to remotely mount images as USB devices, a useful tool to manage servers but also a security liability.
"This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely," Eclypsium said.
"The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets." The team found four different flaws within the virtual media service (on TCP port 623) of the BMC's web control interface.
They included the use of plaintext authentication and unauthenticated network traffic, as well as weak encryption and an authentication bypass flaw in the X10 and X11 platforms that allows new clients on the virtual media service to run with the old client's permissions.
Can we talk about the little backdoors in data center servers, please?READ MORE
According to Eclypsium, the easiest way to attack the virtual media flaws is to find a server with the default login or brute-force an easily guessed login. In other cases, the flaws would have to be targeted.
"If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password," the report explains.
"Given that BMCs are intended to be always available, it is particularly rare for a BMC to be powered off or reset. As a result, the authentication bypass vulnerability is likely to be applicable unless the server has been physically unplugged or the building loses power."
What's worse, Eclypsium believes that tens of thousands of servers contain this vulnerability and are open to the internet. A quick Shodan search on port 623 turned up 47,339 different BMCs around the world.
Fortunately, there is a fix out. Eclypsium said it has already contacted Supermicro and the vendor has released an update to fix the vulnerabilities. Organizations are advised to contact their server vendor and make sure they are running the latest version of the BMC firmware. ®